Qualys QID 13038: Remote Detection for BASH ShellShock

Today Qualys is releasing QID 13038 in VULNSIG Release VULNSIGS-2.2.831-5for remotely detecting ShellShock. For details on BASH ShellShock, refer to Wolfgang’s blog BASH Shellshock vulnerability – Update2. As you may know there could be multiple exploit vectors and the most popular remote vector is via the use of a cgi script using HTTP headers. QID 13038 is based on a similar technique. If you need a complete inventory of your machines that need patching we recommend that you use the authenticated QID 122693 and QID 122698.

How does the remote QID 13038 work?

The signature sends a HTTP request to the web server with the following User-Agent:

On vulnerable targets this will execute the “/usr/bin/id” command. If you want to run the signature manually using curl you can send the following request or you can use the “Default User Agent” plugin from Firefox.

Related

Pardon for the possibly incorrect comment, but this high profile issue illustrates why it would be nice to be able to run a scan for a specific QID without having to build a list and profile when you’re looking for a very specific vulnerability. I would love, for cases like this, to simply create a new scan with custom info without having to create new lists and profiles.

I mean, I agree it would be a nice feature, but where would they stop on making these very specific scan profiles? It takes less than 5 minutes to setup what you suggested and there are alot of feature requests that have been requested that would save alot more than 5 minutes.

What time was the signatures pushed to the scanner appliances? Was it before 10pm?

You may have noticed in our other shellshock community articles that if you have the luxury of authentication we can leverage informational QIDs like these:

QID 105213 – List of Valid Shells

QID 45141 – Installed Packages on Unix and Linux Operating Systems (this QID is more or less where “applications” gets its data from)

There has been a steady stream of CVE’s associated with Bash recently. The code has been around a long time, but is getting pounded on lately it seems. The latest CVE drafts I’ve came across (not released; therefore no signature yet) are CVE-2014-6277, CVE-2014-6278, CVE-2014-7186 and CVE-2014-7187

The main points of info about CVE-2014-6277 and CVE-2014-6278 so far is that they are both unrelated to the environment variable code injection of shellshock, but as it turns out could also lead to code execution.

CVE-2014-7186 is related to multiple EOF declarations. CVE-2014-7187 is similar but is caused by improperly handled cases with multiple done declarations.

We’ll all see more posts in our favorite discussion threads and more efforts will have to go in on Bash problems for a while in other words.

In the above description of QID 13038 it states "To conclude, use QID 122693 for authenticated detection of CVE-2014-6271". Can someone explain the use of the word "conclude"? Does this mean that only if a given host shows both, QID 13038 and QID 122693 that it is actually exploitable? Or only if both are showing that it is actually vulnerable? I’m trying to determine where we have cases where it is indeed exploitable.